Calendar

Clause 202c of German penal code endangers German IT industry

2008-07-21 00:00:00, frankro

In a substantial report to the Bundesverfassungsgericht (BVerfG,
German constitutional court) the Chaos Computer Club (CCC) has studied
the impacts of the so-called "Hacker Paragraph", a change to the penal
code. The CCC comes to the conclusion, that clause 202c is unsuitable
and even runs contrary to the legislator's intended goal.

The programming, making available, distributing or aquisition of
so-called hacker-tools, necessary for the daily work of network
administrators and security experts, is sanctioned by clause 202c StGB
(German penal code). Due to a constitutional complaint against the new
clause, the BVerfG is looking into the question, whether it is
generally possible to distinguish so-called hacker-tools from
allegedly harmless software. The CCC also studied, the likely
consequences this new law will have and whether the use of potentially
harmful software is necessary for the revision of the security of
computer systems.

In the opinion of the CCC, the new fundamental right to the
confidentiality and integrity of IT-Systems implies that everybody
must be able to test their computer systems for security issues.
Therefore the possession, testing, public information sharing and
further developing of so-called hacker-tools is mandatory.

The risk of legal proceedings against those, who find or research
security vulnerabilities has been intensified through the enactment of
clause 202c. It has already been observed that the voluntary
publication of detected security problems is clearly decreasing in
Germany. The clause's criminalization of dealing with malware
therefore leads to a worse situation for IT security in Germany.
Security researchers and companies are unable to perform their
services anymore without taking up the risk of criminal prosecution.

The impact of clause 202c are described in detail by the report. Media
in the field of IT security, for instance, has already begun to limit
its coverage since the clause has come into effect. Professional and
private security researchers are planning to emigrate from Germany and
research and teaching also has strongly restricted itself. Many fears,
already expressed by experts from the fields of computer science and
practice during the hearings in the Bundestag, have already come true.

"The fact, that the observable effects of the change to the penal code
are occuring exactly as predicted by the experts, surprises no one. In
the long term Germany will become a target for criminals and a
gateway for industrial espionage, as the computer networks can't be
effectively defended anymore", Frank Rieger, speaker of the CCC,
comments. "The industry, as well as normal computer users, are denied
the possibility of testing computers for security vulnerabilities."

Overall the CCC study makes clear, that the legislator's goal of
achieving an improvement of the IT security situation by limiting the
access to malware and attack tools was missed.
The criminalization of software producers and users will lower the
standard of security in Germany. Simultaneously it causes
disadvantages for German computer science research and industry.

"The change of law brings no advantages but some severe
risks. It likely violates the constitutional rights of many, as it
restricts their freedom to carry out their professional duties as well
as restricting the freedoms of researchers and press significantly.
In order to not jeopardize the German IT industry, clause 202c must be
abolished as soon as possible", Rieger claims.